Your message dated Sat, 06 May 2017 03:33:31 +0000
with message-id <[email protected]>
and subject line Bug#834922: fixed in gnupg2 2.1.18-7
has caused the Debian Bug report #834922,
regarding gnupg: Fails to sign if secret part of a signing subkey is not
present, but its public part known (regression from gpg1)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
834922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834922
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg
Version: 2.1.14-5
Control: affects -1 devscripts git-buildpackage git
Dear GnuPG Maintainers,
approximately since the switch to GnuPG 2.x I can no more use my
4096R/2FF9CD59612616B5 key to sign stuff:
----------------------------------------------------------------------
→ echo foo | gpg --clearsign
gpg: using "2FF9CD59612616B5" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
foo
gpg: signing failed: No secret key
gpg: [stdin]: clearsign failed: No secret key
----------------------------------------------------------------------
Nevertheless --list-secret-keys finds that key without issues:
----------------------------------------------------------------------
→ gpg --list-secret-keys 2FF9CD59612616B5
sec rsa4096/2FF9CD59612616B5 2009-07-12 [SC]
uid [ultimate] Axel Beckert <[email protected]>
uid [ultimate] Axel Beckert (E-Mail + Jabber) <[email protected]>
uid [ultimate] Axel Beckert (Symlink) <[email protected]>
uid [ultimate] [jpeg image of size 3155]
uid [ultimate] Axel Stefan Beckert
uid [ultimate] Axel Beckert (FSFE Fellow) <[email protected]>
uid [ultimate] Axel Beckert (Debian Developer) <[email protected]>
ssb elg4096/E230E02B004AB7CC 2009-07-12 [E]
ssb rsa4096/6BE663C75A35C975 2014-12-29 [S] [expires: 2020-12-27]
----------------------------------------------------------------------
I can reproduce this issue even with only having a single line in my
~/.gnupg/gpg.conf:
----------------------------------------------------------------------
default-key 2FF9CD59612616B5
----------------------------------------------------------------------
I also tried using "default-key 6BE663C75A35C975" (i.e. the most recent
signing subkey) instead after David Bremner mentioned something about
known issues with subkeys on IRC. But that didn't help either.
I can though still sign stuff with my old, deprecated
1024D/C09E1D8995930EDE key, e.g. if I change the above line to
"default-key C09E1D8995930EDE":
----------------------------------------------------------------------
→ echo foo | gpg --clearsign
gpg: using "C09E1D8995930EDE" as default secret key for signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
foo
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAle4ZssACgkQwJ4diZWTDt45PQCdH83vEH8DN0VLjZsxmfp6SLo6
LI0AnA319OwDkFwY8Vd2b6oYAbYHquMz
=IvvU
-----END PGP SIGNATURE-----
----------------------------------------------------------------------
Using gpg1 instead gpg works fine with "default-key 2FF9CD59612616B5",
too:
----------------------------------------------------------------------
# echo foo | gpg1 --clearsign
You need a passphrase to unlock the secret key for
user: "Axel Beckert <[email protected]>"
4096-bit RSA key, ID 2FF9CD59612616B5, created 2009-07-12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
foo
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJXuGd9AAoJEC/5zVlhJha1ryUP/Rwyr2U7fqL7bHE+ECn0yFYy
FSldxU/F1WzbEx59FxEFFLAdSFdHbjqRemHMngRW2gwR6YgxQT/4sWcNIaNgVj+f
X+laFTlqtY4FITY33kxrDyL8WhCC4zon/Hd3S1DlFGRV5JigLSH571pW1rE6NwhM
jpBGBS3AJ9a7TQULX5FXM1hpxGZsQOr3stFHIEDqLmCOPfNe2CcQgYnW4QR38joO
kku1idWoe45Ehx9xJkT/5jV5Gf24V5z0sC2Ar4O71qiEI0tJFfUAP1ejKOQ/dk6A
MNwjOO9iyZGkN2vXyjTJUzuqljZvNUB+t6J0DPQWGxBI7TO1ycIUkW+1MUcM3mFr
ZKMz6j2WQUGRW2w1UqquEfD/GCy+fTOHz3krqSW6Kg6ApuB6C9duhaOrCrcSUAKq
kYhO9S4bMlURe6eg6jLwcZqrX3WYizuXdJiRtRPpG8hzS8VA8K44QWV5IwkyeFF6
WPQImDoVBR32vrUpYRuXB6aajYXFRr2BQq0vc+RQC8jSc4p96gqMnSAefDTFK/Gt
LvDRmN4UnSwoMp7RzTPtJ+VNROUJPrj6ARw+xTKSueNI5lKuA22LyPtEqXgYzrpQ
+he3kAu50QgKymifagxz8aZeDqoiXw098Z+M8AhFuKPs37+yl0dLfK26L1xrq9/B
mj2FqtlogW7zgQJCae7i
=dupP
-----END PGP SIGNATURE-----
----------------------------------------------------------------------
Ran into this issue with "gbp import-…", "debsign …" and "git tag -s …".
At least for debsign I found a workaround by instructing it to use gpg1
instead: "debsign -pgpg1 …" -- But that's not a solution for eternity.
Since I can even reproduce this with only having "default-key
2FF9CD59612616B5" in my ~/.gnupg/gpg.conf while that (secret and public)
key definitely exists in my keyring, I consider this being a bug, maybe
an incomplete conversion when GnuPG 2.x was first run or so.
IIRC the conversion happened during a run of "gbp import-dscs --debsnap
…" or similar command, i.e. nothing where I called gpg manually or could
intervene. At least there exists an empty file called
~/.gnupg/.gpg-v21-migrated, dated 16th of August 2016, 00:57 CEST
(GMT+0200).
P.S.: Even in the case that this is not a bug but a configuration issue
(then where?), any help or hint is appreciated as this issue severly
hinders me in doing work for Debian and I already invested several hours
to find a fix or at least track down the reason (commenting out line by
line in gpg.conf, etc.). TIA!
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'),
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1,
'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-rc7-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages gnupg depends on:
ii gnupg-agent 2.1.14-5
ii libassuan0 2.4.3-1
ii libbz2-1.0 1.0.6-8
ii libc6 2.23-4
ii libgcrypt20 1.7.3-1
ii libgpg-error0 1.24-1
ii libksba8 1.3.4-4
ii libreadline6 6.3-8+b4
ii libsqlite3-0 3.14.1-1
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages gnupg recommends:
ii dirmngr 2.1.14-5
pn gnupg-l10n <none>
Versions of packages gnupg suggests:
ii parcimonie 0.10.2-1
ii xloadimage 4.1-23+b2
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.1.18-7
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 May 2017 23:06:48 -0400
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg gnupg2 gpgv gpgv2 dirmngr gpgv-udeb
gpgv-static gpgv-win32 gnupg-l10n
Architecture: source
Version: 2.1.18-7
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Description:
dirmngr - GNU privacy guard - network certificate management service
gnupg - GNU privacy guard - a free PGP replacement
gnupg-agent - GNU privacy guard - cryptographic agent
gnupg-l10n - GNU privacy guard - localization files
gnupg2 - GNU privacy guard - a free PGP replacement (dummy transitional pa
gpgsm - GNU privacy guard - S/MIME version
gpgv - GNU privacy guard - signature verification tool
gpgv-static - minimal signature verification tool (static build)
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
gpgv2 - GNU privacy guard - signature verification tool (dummy transition
scdaemon - GNU privacy guard - smart card support
Closes: 834922 854359 854829 858082
Changes:
gnupg2 (2.1.18-7) unstable; urgency=medium
.
* scdaemon fixes from gniibe
* more upstream fixes (Closes: #854359, #854829)
* skip over missing signing keys (Closes: #834922)
* drop all skel files (Closes: #858082)
* Avoid spurious warnings when sharing a keybox with gpg >= 2.1.20
Checksums-Sha1:
55835c0a42dfc61c69a2e4d634da257f7e69968d 3118 gnupg2_2.1.18-7.dsc
f9cc8e78c28b4e53c74e679025fafb1a3f40d3e0 101187 gnupg2_2.1.18-7.debian.tar.bz2
0e47180c0b12ff1a9482295c7df961732dec8d02 16399 gnupg2_2.1.18-7_amd64.buildinfo
Checksums-Sha256:
4b525341decf760af5c5bd9f6b301e1a9b0e61cda0f11cbd1e4012dc988f0495 3118
gnupg2_2.1.18-7.dsc
1a8868f557142ca6f114b65789c31aab786a88371fde60ace3e002b2e1caa6bc 101187
gnupg2_2.1.18-7.debian.tar.bz2
b7e2ea46b0046e8e2f9623dc8d41dbc00cfbcd5e691843489ae8914c0d9e69bf 16399
gnupg2_2.1.18-7_amd64.buildinfo
Files:
6c66239c3f8f00260140cfa3837cfb73 3118 utils optional gnupg2_2.1.18-7.dsc
32278e766cd09ce6a4d69047f672d7fa 101187 utils optional
gnupg2_2.1.18-7.debian.tar.bz2
99d7bb52f091336ade34039123eaa5a7 16399 utils optional
gnupg2_2.1.18-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAlkNP9MACgkQFJitxsGS
MjdBsw/+IiOZT70fqDbNfit/V0jOu8HuGCNVOtnbXRKy4gFtpEDTZybatgkMpEFd
95PlzgPLtp9G+dKSMHBQZTTUjK3fTyHufwqEQP8igu/W031AJFw32bOxRIYVgtbH
1Jmjq48JuomnD2ipoa7t2V2OcthLRhyrVgwgNh888CxFfijQc/Rtq2/cGz0FRIkc
ETVWObb0NRkNEclaOGeKafX2+LbQREoAVSI8xPNGAybBZuCKGxmMgSPq9RXn+FXq
PjyCCjfI6SipGCyioMDW3LKvLW5JqK+p7HR5Ez5WNxMHHVxMSnpHk+1uWGV76Ypc
UCaFgLA4DPousCpGzOyH4GX7r0Nnoy8HPkkipFLMRsvIeMZCmehRaJdXebfxKexG
fM7MiXYVqoeZefmOEXmn6wIxPRIXZICxH48Qsb3yQjOg8wEYDRZid3rOIYqsn8J1
fl57lFYpn6qP19O1+fbywO0c5RHv0LLrSjLd+2rEoMjGyMC3PILWaXgWM9hTntZF
SE1F51Kc7/c2nmKXUH36SL0cCmMOQ/IO1traHI94TD2HqMwKhd9hZ+2XSE+u7BBM
9B1SdUaEEos4Bf2ckbI551QQxOjl89zMHAe6/knvHB94tgr9fHM3sZt6FpARCOga
aYURY3xyuA4Z9TW8sPEVmoUhS8W8U6XMfJrnh11OKFNpTyQ2cQQ=
=+QEt
-----END PGP SIGNATURE-----
--- End Message ---
